GDPR - 365 days to go

One year to go, companies still behind on preparation, and those preparing are forgetting about data within emails.

Today represents exactly one year until the new European Union’s General Data Protection Regulation (GDPR) comes into force. However, despite having some two years to be ready, most companies are still lagging on their preparations.

Two different studies released in the last month show the majority of companies in the UK, EU, and US, are all yet to be compliant with the incoming rules. According to Shred-it, the majority of UK companies are not even aware of the regulations, while a recent study by Compuware suggests that most US companies are aware of GDPR but a significant minority don’t have a plan in place to deal with the incoming rules.

“GDPR will represent the biggest change to data protection law in 20 years,” says Matthew Holman, Principal at EMW Law’s Commercial Team. “It will apply to all businesses, regardless of size, sector or turnover.”

GDPR’s rules – which affect every company that has data on European customers – state that data collection must be given with consent, companies must encrypt personal data, companies must provide personal data upon request by that person, data breach notification must be given within 72 hours, and in certain cases, hire a Data Protection Officer. Fines for failure to comply can be up to 4% of global turnover.

“One of the biggest issues faced by businesses is lack of senior management buy-in,” according to Holman. “There remains a degree of nonchalance in most company boardrooms about the importance and significance of data protection law.”

“When the GDPR arrives in 12 months’ time, the reality of implementation will almost certainly take many businesses by surprise. Average industry estimates for creation and execution of a GDPR compliance project is 12 to 15 months.”

For UK companies, don’t think Brexit will save you. The UK Information Commissioner’s Office (ICO) has said UK companies should carry on with GDPR preparations not only because the UK will still be in the EU when the rules come into effect, but also whatever UK privacy laws are introduced will be similar, if not identical. The size of fines ICO issued in 2016 would have been almost 10 times greater under GDPR legislation, according to an NCC Group study. Despite this, nearly a quarter of UK companies are thought to have stopped their GDPR preparations.

According to Mimecast, the issue of email security within GDPR is being lost, even amongst companies making efforts to prepare.

“GPDR changes what constitutes personal and sensitive data,” says Mayur Pitamber, Mimecast Product Marketing Manager. “Yet most organisations do not realise how much sensitive personal data is hidden within their employees’ email.”

“An ‘archive-all’ culture means organisations don’t always know what lurks in their vast pools of unstructured data such as email messages and attachments. Yet ignorance is no defence for compliance requirements.”

IDG Connect’s GDPR coverage:
What we know, and don’t know, about GDPR
GDPR may leave some burned
From insular US firms to spammy marketers: Who will GDPR hit the hardest?
UK needs to align with GDPR, even post-Brexit
Brexit means GDPR and unhindered data flows
Is the EU-decreed DPO the next big IT role?
GDPR: The World needs “at least” 75,000 DPOs